Psiphon security advisory: corrupted Windows authenticode signatures

[in...@psiphon.ca]

A bug has been identified in Psiphon 3 for Windows versions 53 to 61 which caused the executable digital signature to be corrupted (an extra byte was added to the executable file) when the executable was extracted from an automated upgrade package.

This bug did not affect regular downloads (e.g., if you go to psiphon3.com and download psiphon3.exe) or email attachments; in addition, the additional signature validation performed on automated upgrade packages remained intact.

In other words, only valid executables would be extracted and applied -- but the Windows authenticode signature would not appear after the extraction process. This would cause users to be unable to manually verify upgraded executables and also, in at least one reported case, cause anti-virus software to issue an alert concerning the executable's signature.

This bug is fixed in Psiphon 3 for Windows version 62, which will be available today.